Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

November 08, 2023
Tweet

More Decks by Marit van Dijk

Other Decks in Programming

Transcript

  1. Keep your dependencies in check All Day DevOps on Tour:

    Malmö Edition - Nov 8, 2023 https://maritvandijk.com/ @MaritvanDijk77
  2. Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin

    • Run `./gradlew dependencyUpdates` @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin
  3. Gradle • Analyze dependencies • Add plugin (e.g. nebula) @MaritvanDijk77

    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule
  4. Gradle • Analyze dependencies • Add plugin (e.g. nebula) •

    Run `./gradlew fixGradleLint` @MaritvanDijk77 https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule
  5. Pros & Cons + Check dependencies while working on the

    project - Check out each individual project - Apply & verify updates @MaritvanDijk77
  6. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77
  7. Features @MaritvanDijk77 Dependabot Renovate Snyk Open source Alerts Y Security

    Updates Y Y Y Version Updates Y (with extra config) Y Y Dashboard Y Y Check PRs for vulnerable dependencies Y Scan code for vulnerabilities Y
  8. Options @MaritvanDijk77 Dependabot Renovate Snyk Open source Repos All All

    vs. selected only Public only vs. public & private (can disable for repo) Scheduling Daily / Weekly / Never Very detailed (presets, cron syntax, ..) Daily / Weekly / Never Info in PR Severity metrics Adoption rate % passing tests Confidence level Severity Breaking change Known Exploits Max. nr. of PRs Y (default 5) Y and concurrent branches New and/or known vulnerabilities Bundle updates in PR Y (with config) Y (by default) Rebase strategy Y Y TODO Rule-based automerge Y Check PRs Y
  9. Platforms @MaritvanDijk77 Dependabot Renovate Snyk Open source GitHub native GitHub.com

    GitHub Enterprise Server GitHub GitHub Enterprise GitHub Read-only projects GitLab (with config) GitLab.com GitLab CE/EE GitLab Bitbucket Cloud Bitbucket Server Bitbucket Cloud Personal Access Token (Legacy) Bitbucket Cloud App Bitbucket Data Center/Server Azure DevOps Azure (TFS) Repos AWS CodeCommit Gitea and Forgejo
  10. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - Do NOT update your code (if needed) @MaritvanDijk77
  11. IntelliJ IDEA • Refactor > Migrate Packages and Classes @MaritvanDijk77

    https://www.jetbrains.com/help/idea/migrate.html
  12. IntelliJ IDEA • Refactor > Migrate Packages and Classes >

    • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html
  13. Error Prone • Static analysis tool for Java to catch

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/
  14. OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches,

    and static code analysis fixes • Java, Kotlin & Groovy support • Maven/Gradle • Run without a build tool • Early support for Python, Typescript, ... @MaritvanDijk77 https://docs.openrewrite.org/
  15. OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries

    • Fix static analysis issues @MaritvanDijk77 https://docs.openrewrite.org/running-recipes/popular-recipe-guides
  16. OpenRewrite • Existing recipes • Can author your own recipes

    @MaritvanDijk77 https://docs.openrewrite.org/